Skip to main content
Shopify Webhook Tester

Test Shopify webhooks and inspect the raw HMAC

Point a Shopify webhook at a public URL and read the payload, the X-Shopify-Topic header and the base64 X-Shopify-Hmac-Sha256 signature in your browser. No signup, nothing to install.

Free, no account. Works with app and store webhooks.

Trusted by teams at

Coinbase Eudonet GEODIS WoodWing Optery Alteos ActiveAnts Apizee
How it works

Test a Shopify webhook in four steps

play.hook0.com receives the delivery for you, so you can see the exact body and the base64 signature before you write your verification.

Step 1

Get a public URL

Open the tester for a URL that accepts any POST. No install, no server to run.

Step 2

Subscribe a webhook to it

Set that URL as the address for a webhook topic, in the app config or with shopify app webhook trigger, then send a test delivery.

Step 3

Inspect the delivery

Read the raw body plus the X-Shopify-Topic, X-Shopify-Shop-Domain and X-Shopify-Hmac-Sha256 headers exactly as Shopify sent them.

Step 4

Match the HMAC

Copy the raw body and the signature into your handler and confirm your base64 HMAC matches before going live.

Signature

How Shopify signs a webhook, and the base64 trap

Shopify signs each webhook with your app secret so you can verify it is genuine. The catch that breaks most first attempts is the encoding. The digest is base64, not hex.

Signature header
X-Shopify-Hmac-Sha256.
Algorithm
HMAC-SHA256 over the raw request body, base64 encoded. Not hex, which is the usual mistake.
Signing secret
Your app client secret, the API secret key, rather than a per-webhook value.
Routing headers
X-Shopify-Topic names the topic, X-Shopify-Shop-Domain names the store, X-Shopify-Webhook-Id lets you dedupe.
Compare safely
Decode both sides and compare bytes with a constant-time check rather than comparing strings.
Send test events
shopify app webhook trigger sends a sample delivery to your URL.

Reading the exact body and the base64 X-Shopify-Hmac-Sha256 value in the tester shows you precisely what to reproduce.

FAQ

Shopify webhook testing questions

How do I test a Shopify webhook?

Open the tester to get a public URL, subscribe a webhook topic to it in your app config or with shopify app webhook trigger, then send a delivery. The tester shows the raw body and headers Shopify sent so you can inspect and replay them.

Why does my Shopify HMAC verification fail?

The most common reason is encoding: X-Shopify-Hmac-Sha256 is base64, not hex. Compute HMAC-SHA256 of the raw body with your app secret, base64 encode it, then compare. Sign the raw bytes, not a re-serialized body.

Which secret signs a Shopify webhook?

Your app client secret, also called the API secret key, signs every webhook. It is not a per-webhook secret, so the same value verifies all topics for that app.

How do I verify the X-Shopify-Hmac-Sha256 header?

Take the raw request body, compute HMAC-SHA256 with your app secret, base64 encode the result and compare it to the header with a constant-time check. Inspecting the exact body and header in the tester tells you what to feed the HMAC.

Is the webhook tester free?

Yes. play.hook0.com is free and needs no signup. When you are ready to send your own signed webhooks, Hook0 Cloud has a free tier and the server is open-source to self-host.

You have better things to build

Stop building webhook infrastructure. Start shipping features. Get started in minutes.

No credit card required
Setup in 5 minutes
Cancel anytime